11:44 p.m.
Hi Julia,
Thank you for reporting this.
This has been fixed by the commit d15525adb4b5 ("spi: spi-zynqmp-gqspi:
fix use-after-free in zynqmp_qspi_exec_op") which is in
linux-xlnx/master branch. I guess it is waiting to be merged into 5.10
branch.
Thanks,
Quanyang
On 2021/12/18 下午5:58, Julia Lawall wrote:
> Hello,
>
> Line 968 seems to need an unlock.
>
> julia
>
> ---------- Forwarded message ----------
> Date: Sat, 18 Dec 2021 03:01:38 +0800
> From: kernel test robot <lkp(a)intel.com>
> To: kbuild(a)lists.01.org
> Cc: lkp(a)intel.com, Julia Lawall <julia.lawall(a)lip6.fr>
> Subject: [xilinx-xlnx:xlnx_rebase_v5.10 65/1981]
> drivers/spi/spi-zynqmp-gqspi.c:968:3-9: preceding lock on line 959
>
> CC: kbuild-all(a)lists.01.org
> CC: linux-arm-kernel(a)lists.infradead.org
> TO: Quanyang Wang <quanyang.wang(a)windriver.com>
> CC: Michal Simek <monstr(a)monstr.eu>
> CC: Amit Kumar Mahapatra <amit.kumar-mahapatra(a)xilinx.com>
>
> tree: https://github.com/Xilinx/linux-xlnx xlnx_rebase_v5.10
> head: 87ec9a2d98a7a7dfc98b57348a0ec310fd170e4b
> commit: bc753db9c74d949b33bbb8b08a9b6340b57a444f [65/1981] spi: spi-zynqmp-gqspi: add
mutex locking for exec_op
> :::::: branch date: 3 days ago
> :::::: commit date: 9 months ago
> config: x86_64-randconfig-c002-20211216
(https://download.01.org/0day-ci/archive/20211218/202112180238.NUlXfiNL-lk...)
> compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp(a)intel.com>
> Reported-by: Julia Lawall <julia.lawall(a)lip6.fr>
>
>
> cocci warnings: (new ones prefixed by >>)
>>> drivers/spi/spi-zynqmp-gqspi.c:968:3-9: preceding lock on line 959
>
> vim +968 drivers/spi/spi-zynqmp-gqspi.c
>
> 9e3a000362aecb Naga Sureshkumar Relli 2018-03-26 934
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 935 /**
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 936 * zynqmp_qspi_exec_op() -
Initiates the QSPI transfer
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 937 * @mem: The SPI memory
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 938 * @op: The memory operation
to execute
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 939 *
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 940 * Executes a memory
operation.
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 941 *
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 942 * This function first
selects the chip and starts the memory operation.
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 943 *
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 944 * Return: 0 in case of
success, a negative error code otherwise.
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 945 */
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 946 static int
zynqmp_qspi_exec_op(struct spi_mem *mem,
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 947 const struct
spi_mem_op *op)
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 948 {
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 949 struct zynqmp_qspi *xqspi =
spi_controller_get_devdata
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 950
(mem->spi->master);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 951 int err = 0, i;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 952 u8 *tmpbuf;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 953 u32 genfifoentry = 0;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 954
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 955 dev_dbg(xqspi->dev,
"cmd:%#x mode:%d.%d.%d.%d\n",
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 956 op->cmd.opcode,
op->cmd.buswidth, op->addr.buswidth,
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 957 op->dummy.buswidth,
op->data.buswidth);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 958
> bc753db9c74d94 Quanyang Wang 2020-11-19 @959
mutex_lock(&xqspi->op_lock);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 960 zynqmp_qspi_config_op(xqspi,
mem->spi);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 961
zynqmp_qspi_chipselect(mem->spi, false);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 962 genfifoentry |=
xqspi->genfifocs;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 963 genfifoentry |=
xqspi->genfifobus;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 964
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 965 if (op->cmd.opcode) {
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 966 tmpbuf =
kzalloc(op->cmd.nbytes, GFP_KERNEL | GFP_DMA);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 967 if (!tmpbuf)
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 @968 return -ENOMEM;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 969 tmpbuf[0] =
op->cmd.opcode;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 970
reinit_completion(&xqspi->data_completion);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 971 xqspi->txbuf = tmpbuf;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 972 xqspi->rxbuf = NULL;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 973 xqspi->bytes_to_transfer
= op->cmd.nbytes;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 974 xqspi->bytes_to_receive
= 0;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 975 zynqmp_qspi_write_op(xqspi,
op->cmd.buswidth, genfifoentry);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 976 zynqmp_gqspi_write(xqspi,
GQSPI_CONFIG_OFST,
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 977
zynqmp_gqspi_read(xqspi, GQSPI_CONFIG_OFST) |
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 978
GQSPI_CFG_START_GEN_FIFO_MASK);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 979 zynqmp_gqspi_write(xqspi,
GQSPI_IER_OFST,
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 980
GQSPI_IER_GENFIFOEMPTY_MASK |
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 981
GQSPI_IER_TXNOT_FULL_MASK);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 982 if
(!wait_for_completion_interruptible_timeout
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 983
(&xqspi->data_completion, msecs_to_jiffies(1000))) {
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 984 err = -ETIMEDOUT;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 985 kfree(tmpbuf);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 986 goto return_err;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 987 }
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 988 kfree(tmpbuf);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 989 }
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 990
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 991 if (op->addr.nbytes) {
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 992 for (i = 0; i <
op->addr.nbytes; i++) {
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 993 *(((u8 *)xqspi->txbuf)
+ i) = op->addr.val >>
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 994 (8 * (op->addr.nbytes
- i - 1));
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 995 }
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 996
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 997
reinit_completion(&xqspi->data_completion);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 998 xqspi->rxbuf = NULL;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 999 xqspi->bytes_to_transfer
= op->addr.nbytes;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1000 xqspi->bytes_to_receive
= 0;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1001 zynqmp_qspi_write_op(xqspi,
op->addr.buswidth, genfifoentry);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1002 zynqmp_gqspi_write(xqspi,
GQSPI_CONFIG_OFST,
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1003
zynqmp_gqspi_read(xqspi,
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1004 GQSPI_CONFIG_OFST)
|
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1005
GQSPI_CFG_START_GEN_FIFO_MASK);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1006 zynqmp_gqspi_write(xqspi,
GQSPI_IER_OFST,
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1007 GQSPI_IER_TXEMPTY_MASK
|
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1008
GQSPI_IER_GENFIFOEMPTY_MASK |
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1009
GQSPI_IER_TXNOT_FULL_MASK);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1010 if
(!wait_for_completion_interruptible_timeout
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1011
(&xqspi->data_completion, msecs_to_jiffies(1000))) {
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1012 err = -ETIMEDOUT;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1013 goto return_err;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1014 }
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1015 }
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1016
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1017 if (op->dummy.nbytes) {
> 5e19e3ddfa5d4b Quanyang Wang 2020-11-16 1018 xqspi->txbuf = NULL;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1019 xqspi->rxbuf = NULL;
> 5e19e3ddfa5d4b Quanyang Wang 2020-11-16 1020 /*
> 5e19e3ddfa5d4b Quanyang Wang 2020-11-16 1021 *
xqspi->bytes_to_transfer here represents the dummy circles
> 5e19e3ddfa5d4b Quanyang Wang 2020-11-16 1022 * per data line.
> 5e19e3ddfa5d4b Quanyang Wang 2020-11-16 1023 */
> 5e19e3ddfa5d4b Quanyang Wang 2020-11-16 1024 xqspi->bytes_to_transfer
= op->dummy.nbytes * 8 / op->dummy.buswidth;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1025 xqspi->bytes_to_receive
= 0;
> 5e19e3ddfa5d4b Quanyang Wang 2020-11-16 1026 /*
> 5e19e3ddfa5d4b Quanyang Wang 2020-11-16 1027 * Using
op->data.buswidth instead of op->dummy.buswidth since
> 5e19e3ddfa5d4b Quanyang Wang 2020-11-16 1028 * the specification
requires that the dummy.buswidth should
> 5e19e3ddfa5d4b Quanyang Wang 2020-11-16 1029 * be the same as
data.buswidth.
> 5e19e3ddfa5d4b Quanyang Wang 2020-11-16 1030 */
> 5e19e3ddfa5d4b Quanyang Wang 2020-11-16 1031 zynqmp_qspi_write_op(xqspi,
op->data.buswidth,
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1032 genfifoentry);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1033 zynqmp_gqspi_write(xqspi,
GQSPI_CONFIG_OFST,
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1034
zynqmp_gqspi_read(xqspi, GQSPI_CONFIG_OFST) |
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1035
GQSPI_CFG_START_GEN_FIFO_MASK);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1036 }
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1037
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1038 if (op->data.nbytes) {
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1039
reinit_completion(&xqspi->data_completion);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1040 if (op->data.dir ==
SPI_MEM_DATA_OUT) {
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1041 xqspi->txbuf = (u8
*)op->data.buf.out;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1042 xqspi->rxbuf = NULL;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1043
xqspi->bytes_to_transfer = op->data.nbytes;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1044 xqspi->bytes_to_receive
= 0;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1045
zynqmp_qspi_write_op(xqspi, op->data.buswidth,
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1046 genfifoentry);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1047 zynqmp_gqspi_write(xqspi,
GQSPI_CONFIG_OFST,
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1048 zynqmp_gqspi_read
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1049 (xqspi,
GQSPI_CONFIG_OFST) |
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1050
GQSPI_CFG_START_GEN_FIFO_MASK);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1051 zynqmp_gqspi_write(xqspi,
GQSPI_IER_OFST,
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1052
GQSPI_IER_TXEMPTY_MASK |
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1053
GQSPI_IER_GENFIFOEMPTY_MASK |
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1054
GQSPI_IER_TXNOT_FULL_MASK);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1055 } else {
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1056 xqspi->txbuf = NULL;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1057 xqspi->rxbuf = (u8
*)op->data.buf.in;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1058 xqspi->bytes_to_receive
= op->data.nbytes;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1059
xqspi->bytes_to_transfer = 0;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1060 zynqmp_qspi_read_op(xqspi,
op->data.buswidth,
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1061 genfifoentry);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1062 zynqmp_gqspi_write(xqspi,
GQSPI_CONFIG_OFST,
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1063 zynqmp_gqspi_read
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1064 (xqspi,
GQSPI_CONFIG_OFST) |
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1065
GQSPI_CFG_START_GEN_FIFO_MASK);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1066 if (xqspi->mode ==
GQSPI_MODE_DMA) {
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1067 zynqmp_gqspi_write
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1068 (xqspi,
GQSPI_QSPIDMA_DST_I_EN_OFST,
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1069
GQSPI_QSPIDMA_DST_I_EN_DONE_MASK);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1070 } else {
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1071 zynqmp_gqspi_write(xqspi,
GQSPI_IER_OFST,
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1072
GQSPI_IER_GENFIFOEMPTY_MASK |
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1073
GQSPI_IER_RXNEMPTY_MASK |
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1074
GQSPI_IER_RXEMPTY_MASK);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1075 }
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1076 }
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1077 if
(!wait_for_completion_interruptible_timeout
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1078
(&xqspi->data_completion, msecs_to_jiffies(1000)))
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1079 err = -ETIMEDOUT;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1080 }
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1081
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1082 return_err:
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1083
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1084
zynqmp_qspi_chipselect(mem->spi, true);
> bc753db9c74d94 Quanyang Wang 2020-11-19 1085
mutex_unlock(&xqspi->op_lock);
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1086
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1087 return err;
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1088 }
> 1c26372e5aa9e5 Amit Kumar Mahapatra 2020-09-24 1089
>
> :::::: The code at line 968 was first introduced by commit
> :::::: 1c26372e5aa9e53391a1f8fe0dc7cd93a7e5ba9e spi: spi-zynqmp-gqspi: Update driver
to use spi-mem framework
>
> :::::: TO: Amit Kumar Mahapatra <amit.kumar-mahapatra(a)xilinx.com>
> :::::: CC: Mark Brown <broonie(a)kernel.org>
>
> ---
> 0-DAY CI Kernel Test Service, Intel Corporation
> https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
>